Women in the Cybersecurity: In Conversation with Cybersecurity Expert Michelle Drolet
Cybersecurity is a growing concern due to the increasing frequency and sophistication of cyberattacks, coupled with the rise of digital dependence and vulnerabilities.
As per reports, the global cyber security market size was estimated at USD 245.62 billion in 2024 and is projected to grow at a CAGR of 12.9 percent from 2025 to 2030.
The challenge for organizations is to stay one step ahead of the evolving threat landscape, investing in the tools, talent, and strategies needed to ensure their long-term resilience to ever-present cyber risks.
To explore more on this crucial topic, we spoke to Michelle Drolet, a renowned women leader in cybersecurity. With deep expertise in data security preparedness, network security and risk management, Michelle tells us why the importance of cybersecurity cannot be overstated.
Join us as we unveil the dark side, exposing the ever-evolving landscape of cybersecurity risks that demand our attention and vigilance.
Q. As a cybersecurity expert, can you tell us what excites you about this role?
Drolet: Ever since I studied criminal justice in college, I’ve wanted to fight the bad guys. As a cybersecurity expert and the CEO of Towerwall, what excites me about my role is the opportunity to stay at the forefront of technology, regulations, current threats and cybersecurity trends.
We advocate our people, process, partners and products. I am motivated by the challenge of protecting our clients in biotech, healthcare, financial services, and education, all highly regulated industries, from the onslaught of cyber threats, as well as the chance to lead a great team in offering innovative ways to safeguard our clients while remaining compliant with complex regulatory demands.
This inspires and energizes me every day.
Q. What is your take on ‘cyber hygiene’, and why is it important? Any tips/ best practices to keep yourself safe online?
Drolet: Cyber hygiene refers to best practices taken by individuals and organizations to maintain their digital security and sustain integrity. It is crucial because maintaining good cyber hygiene helps to mitigate cyberattacks, data breaches, and other security threats.
It involves password management, software updates, data encryption, and being cautious about sharing personal information online. Much is involved. Tips for maintaining good cyber hygiene include using a password manager to generate and store complex alpha-numeric passwords for each account, and not using the same password twice. Enabling two-factor authentication should be mandatory. Regularly updating software, operating systems, and applications to patch security vulnerabilities. Being skeptical about clicking on links or downloading attachments. (If it seems too good to be true it probably is. Encrypting sensitive data both at rest and in transit. Being mindful of sharing personal information on social media and other online platforms.
Educate yourself and stay informed about the latest threats and best practices. Bringing in expert talent and outside help will significantly reduce the real risk of falling victim to cyberattacks.
Q. How do you think AI is transforming cybersecurity? Is AI a blessing or a curse?
Drolet: AI is both a blessing and a potential curse. Starting with the pluses, AI is great for advancing threat detection. AI tools can analyze vast amounts of data in real-time to identify patterns and anomalies that may indicate a cyber threat.
AI can automate and streamline incident response processes, enabling faster detection, containment, and remediation of security incidents. AI can learn normal user and system behavior, allowing it to detect deviations that may be indicative of a potential security breach. The downsides? The bad guys are using AI to develop more sophisticated cyberattacks and launching them on a scale. Gone are the days of typos and bad grammar. AI-powered malware can sometimes evade security measures. Agentic AI introduces autonomous processes. There’s the so-called black box AI, where even developers don’t understand how GenAI tools arrive at their answers from prompts. Without trust, reliability, and transparency, how can organizations use AI ethically? Many challenges abound.
There’s also a lot of “Shadow AI,” where employers have no clue what AI tools employees use and what they do, raising concerns of proprietary leaks. Write a policy on acceptable usage and implement enforcement tools new to the market.
Q. The Ghibli-style photo trend is fun, but is it safe? How risky exactly is this trend?
Drolet: The Ghibli-style photo trend, while fun, poses risks to your privacy as uploaded images may be stored, used for AI training, exploited for malicious purposes, and could contain revealing metadata.
Your photo could be misused to create deepfake video impersonations and for identity theft. Right now, anybody can create a deepfake given a short audio clip and a headshot, making that person say something they would never say. AI is making it nearly impossible for deepfakes to discern fact from fiction. Fraudsters are using AI to create entirely false personas, complete with their own LinkedIn profiles and websites, applying for jobs as a gateway for breaching organizations.
To read the story, search “North Korean threat actor hired for job.”
Q. Social engineering in cybersecurity is a concern. The best way to outsmart a social engineer?
Drolet: The vast majority of ransomware attacks originate from a simple phishing email or text. Phishing, pretexting, baiting, vishing, and smishing are all forms of social engineering.
You need to run regular cybersecurity awareness training and phishing simulation exercises to educate employees on identifying and reporting these scams. Practice makes perfect, phishing testing should be done monthly at random intervals. Of course, limit the amount of personal and sensitive information you share online and offline. Be wary of unsolicited requests for personal or financial information. Always verify the identity of individuals requesting sensitive information, especially over the phone or via email. Always verify the legitimacy of unexpected requests or suspicious URLs.
Watch for urgent language that preys on human emotions like greed, fear, and impulsiveness. Trust, then verify.
Q. How does a company handle a significant security breach?
Drolet: The company should immediately activate the incident response team to determine if there is an incident leading to a breach, and then contain the breach to prevent further damage.
If there was a breach of sensitive data, assess the extent of the breach, notify relevant parties (law enforcement, insurance, legal, compliance, partners), and preserve evidence for forensic analysis and potential legal action. Conduct a post-incident analysis to identify root causes. (Most likely, human error.) Update the incident response plan accordingly. By responding promptly, the company can mitigate the impact and strengthen its cybersecurity posture for the future. But it should all start by having a plan established well before the incident. A plan that starts with doing a risk assessment and security reviews; a program that includes policies, a remediation plan, biannual penetration testing, tabletop exercises, and regular security awareness training for employees.
Handling an incident post-breach requires a well-rehearsed plan, strategies to mitigate the damage, quarantine infected systems, protect the most prized assets, and restore things back to normal.
Q. How can organizations stay updated on the latest security threats?
Drolet: Subscribe to industry-specific security alert services like CISA and newsletters to receive regular updates on the latest threats and vulnerabilities.
Attend relevant conferences, webinars, and workshops to stay informed. (My company Towerwall puts on an annual Information Security Summit hosted by MassBay Community College, in May.) It’s crucial to run regular security assessments, including penetration testing, to identify and address potential vulnerabilities in your systems and infrastructure.
Q. Any advice you would like to give to future cybersecurity leaders?
Drolet: Stay updated on the latest trends, technologies, and threats through continuous learning and professional development. Get outside your four walls or have a partner bring relevant information to you and your team.
Develop incident response plans, conduct regular phishing simulations, and be prepared to respond with a plan to any security incident. Realize that nurturing a healthy cybersecurity culture in the organization is everything. Advocate for cybersecurity awareness and education, even extending this to your partners. Be sure to lead by example, demonstrate a strong commitment to cybersecurity practices, and inspire others to prioritize security. It takes a top-down approach.
Everyone should be accountable. Uphold ethical standards and integrity to build trust and credibility.
Bio:
Michelle Drolet is the CEO and founder of Towerwall, a specialized cybersecurity firm focused on proactive incident preparedness, compliance, and professional cybersecurity services.
Michelle’s leadership and contributions have garnered notable accolades, including a place on Forbes’ “50 Over 50: Innovation” list and recognition by CIO Views as one of the “10 Most Innovative CEOs of the Year.“
She also actively participates on various boards, including the MassBay Cybersecurity Program Advisory Board, and is dedicated to mentoring the next generation of cybersecurity talent.
